Threat of the Week: Mayhem in the Mobile Browser

For the past five years warnings of a coming assault by cybercriminals on mobile banking have kept getting louder. Yet the plain fact is that successful attacks on the mobile channel in the United States have been scarce.

But just maybe that’s about to change, mainly because more cyber crooks are putting more energy into mobile and, lately, there are signs that the bad guys are starting to cash in on a vulnerability that is found on just about every smartphone.

The weak link is the mobile browser.

This is potentially a huge issue in mobile banking. “We believe about half the consumers who do mobile banking are using the browser and that’s scary. What’s a browser designed to do? Run code, and that sets it up for exploitation by criminals,” said Al Pascual, a risk expert with Javelin Strategy and Research.

Architecturally, a purpose-built mobile banking app simply has a lot less vulnerability than do banking sessions conducted inside Safari or Chrome, said multiple experts. The browser, by its nature, delivers all the Web has to offer and that means it’s also a trapdoor into high risk.

An app, by design, is a dramatically more confined experience. It has only the capabilities built in by its developers. And so it potentially is very safe.

Of course there are lingering concerns about counterfeit banking apps – generally a legitimate app that has been doctored by a crook and then uploaded to apps sites to trick the unwary into installing them. Such apps continue to show up.

“It is not hard to decompile an app, insert code, and upload it. We are seeing this happen frequently,” said Jack Walsh, a mobile security expert at ICSA Labs, an independent division of Verizon.

That said, there still are no known widespread distributions of counterfeit banking apps in the U.S.

Issues with mobile browsers are different because they are much more widespread. Browsers can be tricked into running malicious ActiveX, Java, JavaScript, and other code. They also can be victimized by so-called drive-by infections where simply visiting an infected website is enough to taint the browser. There is no need to click on anything.

“With mobile browsers, users may be duped into accessing rogue websites and involuntarily revealing sensitive information,” wrote Bill Conner, CEO of Entrust, in an email.

“We will start to see mobile malware designed to capture data in a mobile banking sessions, involving a mobile browser,” predicted Pascual.

That’s an echo of Zeus, which is the bane of Windows based online banking – but, suggested Pascual, similar could be steaming towards browser based mobile banking.

That's why a big trend in financial institutions is doubling down on native apps: “More security is getting built into the apps, as we see a shift from mobile 1.0 to 2.0,” said Arneja.

Many apps in the mobile 1.0 era, including mobile banking apps, were frankly rushed out the door with little attention to security. At ICSA, Walsh said a primary focus of his work is probing apps in search of vulnerabilities and, he said, he finds plenty. In many apps, including financial services apps, security often has been an afterthought. “Third-party apps developers often are not security experts,” said Walsh.

That now is changing, however, particularly in financial services as institutions recognize they have no real control over the mobile devices but they do have controls over their own apps and it up to them to maximize those benefits. “Native mobile apps are getting much more secure,” said Arneja.

Will financial institutions start to ban access to mobile banking via mobile browsers? Security experts talk about how they would like to see that happen but they also admit an outright ban is highly unlikely.

For one thing, browser access is a low-cost way to get BlackBerry, Windows mobile, and other platforms into mobile banking and, increasingly, more institutions are issuing only Android and iPhone apps.

For another thing, most financial institutions don’t want to seem to be denying choice to their customers – and many of us still just prefer to use the browser instead of the app.

But watch financial institutions aggressively push app use to their iPhone and Android users – particularly as the institutions roll out 2.0 apps with more potent security built in.

That is one way to help keep mobile banking safe and, said the experts, exactly that is now beginning to happen with the biggest financial institutions and, quite likely, this trend will percolate down to credit unions and community banks as every financial institution comes to see better apps as a key to better mobile banking security.